Open Policy Agent (OPA)

Nov 2019

Defining and enforcing security policies uniformly across a diverse technology landscape is a challenge. Even for simple applications, you have to control access to their components — such as container orchestrators, services and data stores to keep the services' state — using their components' built-in security policy configuration and enforcement mechanisms.

We're excited about Open Policy Agent (OPA), an open-source technology that attempts to solve this problem. OPA lets you define fine-grained access control and flexible policies as code, using the Rego policy definition language. Rego enforces the policies in a distributed and unobtrusive manner outside of the application code. At the time of this writing, OPA implements uniform and flexible policy definition and enforcement to secure access to Kubernetes APIs, microservices APIs through Envoy sidecar and Kafka. It can also be used as a sidecar to any service to verify access policies or filter response data. Styra, the company behind OPA, provides commercial solutions for centralized visibility to distributed policies. We like to see OPA mature through the CNCF incubation program and continue to build support for more challenging policy enforcement scenarios such as diverse data stores.